A sophisticated malware operation, identified as Janela RAT, is targeting financial entities and cryptocurrency services throughout Latin America. This campaign employs deceptive MSI installer files and harmful browser extensions to access sensitive financial information from victims.
Janela RAT: A New Threat in Latin America
Initially detected in mid-2023, Janela RAT is considered an evolved form of the older BX RAT, now enhanced with advanced functionalities. The malware is specifically designed to target individuals and organizations in Chile, Colombia, and Mexico, with a focus on the banking, fintech, and cryptocurrency industries.
The attackers behind Janela RAT are financially driven, aiming to steal credentials and gain unauthorized access to financial accounts. According to KPMG experts, this multi-layered attack poses a significant risk to the financial infrastructure in the region.
How Janela RAT Operates
Researchers have observed that Janela RAT masquerades as legitimate software on public GitLab repositories, complicating detection. This campaign’s ability to silently manipulate browser settings and maintain encrypted communication with attacker-operated servers makes it challenging to counteract.
The implications of this campaign extend beyond mere data theft. By accessing browser information such as cookies, saved credentials, and browsing history, attackers can fully monitor and control a victim’s financial activities. This level of intrusion allows for account takeover and real-time transaction monitoring without the victim’s knowledge, posing severe operational and reputational risks to affected organizations.
Technical Details and Defensive Measures
The infection process begins when a user unknowingly executes an MSI-format software installer from a public GitLab repository. This installer initiates a sequence of scripts—written in Go, PowerShell, and batch—each contributing to the malware’s deployment. A Go-based unpacker is used to extract encrypted command-and-control (C2) information, which is then stored in a config.json file for ongoing operations.
Simultaneously, the scripts search for any Chromium-based browsers on the machine, modify their startup settings, and install a malicious extension to harvest sensitive data. The extension functions as a native messaging host, gathering system details, cookies, browsing history, and more. It also monitors for specific URL patterns, triggering further actions upon encountering banking or cryptocurrency sites.
To remain undetected, Janela RAT employs encrypted WebSocket connections and obfuscates its communication domains. It dynamically changes C2 addresses and remains inactive during idle periods to avoid detection by behavior-based security systems.
Security teams are encouraged to monitor their environments for known Indicators of Compromise (IoCs) related to Janela RAT. It is crucial to ensure all Windows systems are updated and protected with multi-factor authentication. Conducting comprehensive threat assessments can help identify vulnerabilities and improve security defenses.
